Analyzing a SSL Trojan's inner workings

I was recently sent an SSL Trojan from a security consultant assisting a bank with a large online presence. This particular SSL Trojan had installed itself on more than 100 of the bank customers' computers. The most interesting part was that the Trojan could insert itself in the SSL connection between the customerís browser and the bankís SSL Web site. I made a weak attempt to disassemble the Trojan, followed by executing it on my specially configured analysis virtual machine computer.

I fired up the excellent IDA Pro Disassembler and opened the Trojan. I immediately learned it was packed (compressed to minimize size and complicate malware analysis) using ASPACK. IDA Pro still showed me a few API calls: I now knew the Trojan manipulated the Windows registry, and used basic Windows APIs (Ntdll.dll) and some C libraries (Msvcr71.dll). An SSL trojan unmasked | InfoWorld | Column | 2006-03-03 | By Roger A. Grimes